In an extremely terse statement in its latest security advisory, Microsoft acknowledged that "targeted attacks" had occurred in the wild due to a vulnerability in Internet Explorer. According to Reuters, this security hole was made public last May by Google security researcher Tavis Ormandy, who skipped the usual protocol of notifying Microsoft first before telling the world -- or at least, the extremely geeky world of security wonks and hackers.

(Full disclosure: I've been unable to independently verify whether the "targeted attacks" referred to in the advisory are in fact due to the flaws revealed by Ormandy. The holes he revealed do not allow for remote attacks, which makes the scenario for a "targeted attack" hard to visualize. Perhaps readers with more gray matter than I can locate the links.)

In his posts, Ormandy noted that he was fed up with how Microsoft treated researchers like himself and that he didn't have "the free time to work on silly Microsoft code," so he was opening the hole to anyone who wanted to explore it further.

How long does it take Microsoft to get around to patching its products, minus any external pressure to do so? Try 17 years. That's how long it took to fix a hole in its Virtual DOS Machine made public in January 2010 by -- wait for it -- Tavis Ormandy.

In May 2013, shortly after Ormandy revealed the latest flaw in Windows, Google's Online Security Blog declared its new get-tough-on-security-slackers policy: Companies with critical vulnerabilities in their products would have seven days to patch the holes and/or notify customers before Google went public with the information.